Dynamix WireGuard VPN


bonienl

504 posts in this topic Last Reply

Recommended Posts

12 minutes ago, Bob@unraid said:

I have 2 NICs on my mainboard, currently working as bond0 with adaptive load balancing.

 

Is it possible to run the Wireguard VPN (unraid server as client) at eth0 and the "normal" local ethernet / internet at eth1?

 

I've had no success at getting questions answered about multi-NIC Unraid WireGuard installations.  I've posted here and here in this thread and had zero responses, publicly or privately.  I also private-messaged bonienl, author of the WireGuard plugin, more than a week ago.  Although he has been logged on since then, I've not had any response from him, either.

 

I've not seen any information on how to, or if you can, selectively bind an instance of WireGuard to a particular NIC.  Based on my experimentation, it appears to attach itself to whatever NIC attached to the gateway with the lowest metric. 

 

In my case, I have two NICs attached to two different network segments, each with its own gateway (Verizon on one, Cox on the other).  I want to bind WireGuard to each NIC so that I have redundant paths into my local network so that a single point of failure cannot lock me out when I am operating remotely.

 

Maybe as time goes on, mechanisms to do what we want, and/or documentation as to how to do it, will be developed.

Link to post
  • Replies 503
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

With the release of Unraid 6.8 comes support for WireGuard VPN connections. At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This appr

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.   This is

With Unraid containers may have either fixed addresses or dynamic addresses when used on a custom (macvlan) network. To ensure that "any" container can be accessed by the host, I took the approac

Posted Images

Greeting again.

Can anyone confirm this is the correct Static Route I need to set in a Unifi router? I still cannot access custom networks from my WG client. Normal LAN is fine.

image.png.57ba7b5c38bef2c9b3ebe81b875625df.png

Link to post
7 hours ago, Boo-urns said:

Greeting again.

Can anyone confirm this is the correct Static Route I need to set in a Unifi router? I still cannot access custom networks from my WG client. Normal LAN is fine.

image.png.57ba7b5c38bef2c9b3ebe81b875625df.png

 

Everyone's setup is different. Go to the VPN Settings page, enter advanced mode, and show a screenshot of the static route it tells you to setup.

Link to post
4 hours ago, ljm42 said:

 

Everyone's setup is different. Go to the VPN Settings page, enter advanced mode, and show a screenshot of the static route it tells you to setup.

Attached. Seems right, but isn't working. So I need to set up firewall rules also?

Screenshot_20210503-095835.png

Link to post
2 hours ago, Boo-urns said:

Attached. Seems right, but isn't working. So I need to set up firewall rules also?

 

Yeah, I'd say that looks right.

 

Read through the WireGuard quickstart guide:

  https://forums.unraid.net/topic/84226-wireguard-quickstart/

Particularly the section titled "Complex networks" which explains how a few key settings work together to get custom IPs working.

 

Also, why are you ignoring the warning that the local endpoint you entered doesn't resolve to the correct IP?

 

Link to post
Posted (edited)
1 hour ago, ljm42 said:

Also, why are you ignoring the warning that the local endpoint you entered doesn't resolve to the correct IP?

It resolves to the correct IP. I just have it set to my DDNS address, which resolves to my public IP.

I have the static route set, host access enabled and Use NAT=No, however cannot access custom networks. These being other VLANs, DelugeVPN docker (which is set to bridge network), my CCTV VLAN. All of these I can access when connected to my LAN normally.

 

Edited by Boo-urns
Link to post
On 4/16/2021 at 1:20 PM, Sissy said:

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

Is there anyone offering paid support for WireGuard in Unraid?  I have asked this question three times in the forums and once in a private DM to bonienl and have not received even a single answer.

Link to post
11 hours ago, Sissy said:

Is there anyone offering paid support for WireGuard in Unraid?  I have asked this question three times in the forums and once in a private DM to bonienl and have not received even a single answer.

 

bonienl and I know the most about WireGuard here. I don't know how to do what you are asking, since he hasn't responded then he doesn't either. I'm sorry, that is out of scope for this plugin.

Link to post
12 hours ago, Boo-urns said:

It resolves to the correct IP.


Are you saying the warning is incorrect? It says that your DDNS does not resolve to your public IP.

Would you mind PMing me the uncensored screenshot and helping me understand what is wrong about the warning? Is there something we need to change? Or do you have a complex setup with multiple public IPs?

 

12 hours ago, Boo-urns said:

cannot access ..  DelugeVPN docker (which is set to bridge network)

 

If you are able to access the webgui then you should be able to access another port on the webgui's host.

 

Are you accessing it by IP address or by hostname?  http://ipaddress:dockerport should work, or whatever hostname you use for the webgui followed by ":dockerport".  

 

In general a hostname like "tower" will not work through the tunnel, see the "About DNS" section of the first post here: https://forums.unraid.net/topic/84226-wireguard-quickstart/

 

12 hours ago, Boo-urns said:

cannot access custom networks. These being other VLANs, ..., my CCTV VLAN. All of these I can access when connected to my LAN normally.

 

 

On the VPN Settings page, click the little "eye" icon next to the peer you are working on. It will bring up a window that says "Remote peer configuration" (if it says "Local server configuration" then you are looking at the wrong one)

 

It has an entry for "AllowedIPs" that lists all of the networks the client is allowed to access. If you are running the latest version of the plugin it should automatically add the networks that Unraid knows about to this field. Are the networks you are trying to access listed here?

If not, you will need to add them after you have downloaded the file to the client.

 

(note: some versions of the plugin had issues with this, so as an extra step make sure you have version 2021.04.12 of the plugin, then make a small change to the client and hit save to regenerate the client file. And of course, you need to install the updated client file on the client whenever you make changes)

Link to post
3 hours ago, ljm42 said:

 

bonienl and I know the most about WireGuard here. I don't know how to do what you are asking, since he hasn't responded then he doesn't either. I'm sorry, that is out of scope for this plugin.

Thanks for your reply.  

 

Feature request:  With multiple NICs being common, users should be able to assign to which NIC WireGuard tunnels connect, even if they can only pick a single NIC for all WireGuard tunnels.

 

I have two connections, a 940/880 Mbps (down/up) residential Internet connection and a 50/10 Mbps business Internet connection.  The former has a dynamic IP and terms of service that prohibit running servers (think VPN) while the latter has multiple static IPs and permits servers of any kind.  

 

I don't want my Unraid box using up the very limited bandwidth of the business connection, or taking the massive performance hit.  Therefore, I had set the metric on the residential gateway lowest.  But I do want WireGuard on the business connection with a static IP address (via NAT port forwarding).

 

While I would like to have a Wireguard tunnel available on the residential connection, it would be for emergency use only, such as when I am out of town and there's been some sort of network outage on the business side.  That would be unlikely to be detected as a server with only sporadic, personal use.

 

 

Link to post

Sorry, I was off for a while.

 

WireGuard isn't bound to an interface, instead it uses routing to determine how to set up the tunnel.

 

Normally the end-point is reached by Unraid via the default gateway, which is reachable by interface eth0 (it holds the default route).

 

If you want a WireGuard tunnel to run over a different interface, you need to make sure the routing on Unraid to reach the end-point of this tunnel points to the interface you want to use.

 

It is already possible to define different tunnels and let them run via different interfaces, but the routing must be correct to do so.

 

Link to post
8 hours ago, bonienl said:

Sorry, I was off for a while.

 

No problem at all.  I'm grateful whenever someone finds the time to assist me.

 

8 hours ago, bonienl said:

WireGuard isn't bound to an interface, instead it uses routing to determine how to set up the tunnel.

 

Normally the end-point is reached by Unraid via the default gateway, which is reachable by interface eth0 (it holds the default route).

 

If you want a WireGuard tunnel to run over a different interface, you need to make sure the routing on Unraid to reach the end-point of this tunnel points to the interface you want to use.

 

It is already possible to define different tunnels and let them run via different interfaces, but the routing must be correct to do so.

 

 

I will have to do learn Unraid's routing UI.  I'm guessing it can't be that different than pfSense and my EdgeRouter 4. 

 

With a dynamic IP address as the end-point, I'm going to have to think about how to handle the routing.  It's a shame I can't just check a box that says "accept tunnel open requests on any NIC and reply out the same NIC through which the tunnel was opened."

 

Link to post

I recently ran into an issue I need help troubleshooting. I originally posted in the general support (HERE) but doing some troubleshooting myself I realized it was wireguard causing the issue. I had wireguard setup for remote LAN access only. 

 

To summarize when I restart the docker service from the WebUI while wireguard was running all networking on Unraid would break. I wouldn't be able to ping the server from a separate PC and when I tried to ping anything from Unraid it was unable to reach anything. Everything would work fine as long as I didn't try to stop the docker service. I run a windows 10 VM with a GPU passed through and the VM would continue to function normally, it would even still have internet access, but was also not able to to access Unraid in any way.

Troubleshooting was kind of a pain because I run Unraid headless (primary GPU is passed through to VM) so when the networking would go down I was unable to see the console (I could plugin a keyboard and blindly run commands, which is how I was able to get diagnostics and cleanly shutdown).

 

I posted the log in my original post. Any help would be appreciated since I would like to have wireguard setup.

Link to post

I'm using a travel router to connect to my home server running Wireguard. It works great - good speeds and everything. Problem is that I can't access any of the URLs I have setup behind my NginxProxyManager. They all time out when I try to access them over the VPN. I can get to them just fine when I'm not connected. Is there something I need to change to get it working? Some DNS issue maybe?

Link to post

So I'm trying to set up something slightly more "advanced" in terms of firewalling for the VPN.

I have two tunnels configured, one which is only me, and I don't actively use this tunnel intentionally. It's my backup way in.
My second tunnel is where all of my actual endpoint users connect. Ideally, I want them to have access to:
10.253.0.1 (Unraid on the Wireguard side), 192.168.252.72 (Unraid on the local LAN side), 192.168.252.254 (Local DNS) and no other local IP addresses.
How can I set this up with a blacklist or whitelist? Currently I'm whitelisting the above addresses, but with 0.0.0.0/0 and ::0 in their peer configs, and DNS pointing to 192.168.252.254 the result is they have access to my server, and my DNS - but nothing else on the internet.

If I switch to blacklist, I'd have to blacklist each individual IP address (from what I can gather) from 192.168.252.1 - 192.168.252.72 and then from .73 to .253. And then I'd have to repeat that for the wireguard subnet.

Is there a simpler way to implement this type of access restriction that I'm overlooking?

Link to post

Hi folks. Is it possible to use a different gateway with WireGuard? I don't see a place to configure it. I have a server running a VPN that I'd like to route WireGuard traffic through once it enters my LAN. Would I have to change the gateway for my UNRAID server for this to work?

Link to post

Trying to set this up & encountering an issue with UPnP/port forwarding. I'm getting the remark "UPnP: forwarding not set" & "The Local endpoint resolves to xx.xx.xx.xx. In most cases, this should be your public WAN IPv4 instead: xx.xx.xx.xx", where xx.xx.xx.xx show my correct public IP, on both mentions in the message.

This is the port forward on my router:
image.png.acf968a319d3f9ad0b44e6abb4ed7047.png

 

& it also shows UPnP is enabled:

image.png.499b41e52c9c4399a8295fe0dd03c533.png

 

I'm using DuckDNS & it's working fine for other services, but this just doesn't seem to change. I've also set the "Local gateway uses UPnP" setting to both yes & no, with no change. When set to No, it shows "Remark: configure your router with port forwarding of port 51820/UDP to 192.168.0.103:51820" instead of "UPnP not set" & when set to yes, it just says the message as above.

 

I don't have anything special/complex going on in terms of my network, so not entirely sure what's going on. Anyone any pointers?

Link to post
  • 2 weeks later...

Hi people.

I have a wierd problem with wireguard.

I just started my 5th unraid server (and therefor 5th wireguard setup). So it's a clean unraid install, only wireguard plugin installed.

I have forwarded port 51820 to my unraid server IP, and no matter what I do, I cannot access my server from outside. Looks like wireguard isn't working.

When adding a peer (remote access to lan) I get popup:

Peer update required
List of peers
wg0: peer 1 (test)
wg0: peer 2 (no name)

 

My port forwards are correct, other apps are working fine. I created openvpn on my router (Mikrotik) and it's working fine, but I would love to have wireguard as I'm using in on all my other servers.

Is there something I can do, check, anything realy?

 

I'm strugling with this for the last 5 days, eaven tryed replacing router ( I had edgerouter X, now Mikrotik)

I would appritiate any help - suggestion.

Thank you

Link to post
On 5/20/2021 at 6:28 AM, xxDeadbolt said:

I'm getting the remark "UPnP: forwarding not set" & "The Local endpoint resolves to xx.xx.xx.xx. In most cases, this should be your public WAN IPv4 instead: xx.xx.xx.xx", where xx.xx.xx.xx show my correct public IP, on both mentions in the message.

I've seen this message show some false positives, haven't been able to figure out why. Safe to ignore.

 

Have you enabled UPnP on Settings -> Management Access? If so, it seems that for whatever reason the Unraid UPnP client isn't able to talk to your router. I guess you'll need to manually setup the port forward.

Link to post
14 hours ago, INTEL said:

Is there something I can do, check, anything realy?

 

WireGuard is notoriously difficult to troubleshoot because it fails silently. It is mainly a matter of double checking your work. Rather than ask the same "did you check this", "did you do that" list of questions I created a post to go through it. See the second post in this thread (it wouldn't hurt to read the first one too):

https://forums.unraid.net/topic/84226-wireguard-quickstart/

 

Link to post
7 hours ago, ljm42 said:

 

WireGuard is notoriously difficult to troubleshoot because it fails silently. It is mainly a matter of double checking your work. Rather than ask the same "did you check this", "did you do that" list of questions I created a post to go through it. See the second post in this thread (it wouldn't hurt to read the first one too):

https://forums.unraid.net/topic/84226-wireguard-quickstart/

 

Yeah, I saw that, and already tryed everything, gone trough everything on that list.

This isn't my first setup of wireguard on unraid, I actualy have it on few other unraid servers already with no problem.

I'm positive that my port forward is working, I already have some other ports on Mikrotik router working (for Hikvision dvr).

When I try to scan port 51820/UDP I can see it open-filtered, same as in my other locations where I have wireguard and port 51820 open.

I tryed redoing tunel and peer countless times now for the last 7 days, and can't seem to figure out what's wrong.

Is there any other version of plugin (older meybe) I can try? That's only thing I didn't try. I'm currently on 2021.05.10a.

 

Link to post
17 hours ago, ljm42 said:

I've seen this message show some false positives, haven't been able to figure out why. Safe to ignore.

 

Have you enabled UPnP on Settings -> Management Access? If so, it seems that for whatever reason the Unraid UPnP client isn't able to talk to your router. I guess you'll need to manually setup the port forward.

 

Yep, UPnP was enabled. 

So, I'd already set the port forward manually... I just didn't think to try completing the set up & seeing if it worked anyway. That error made me fixate on it; however, it's set up & connecting fine. Thanks for the nudge, not sure why the UPnP client isn't playing ball with my router, but it works!

Link to post

Hello friends, If I activate "Host access to custom networks" in docker, I can no longer access my network devices in network 192.168.178.0 with wireGuard. The "Remote access to LAN" setting is activated. Can you help me?

Gesendet von meinem SM-G998B mit Tapatalk

Link to post
20 hours ago, guybrush2012 said:

Hello friends, If I activate "Host access to custom networks" in docker, I can no longer access my network devices in network 192.168.178.0 with wireGuard. The "Remote access to LAN" setting is activated. Can you help me?

 

Please see this post: https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

 

 

Particularly the section on "Complex Networks" 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.